EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Cannot populate system certificates under IIS 7.5

Posted: 02/20/2013 00:58:59
by Nime Cloud (Basic support level)
Joined: 02/12/2013
Posts: 20

There is no problem with VS debugging using same source code.
When I run under IIS RefreshSystemCertificateList() method
doesn't populate the certificates list. Is there any permission
problem or something similar?

private void RefreshSystemCertificateList()

      // _SystemStore.Count must be > 0
      // under IIS 7.5 it always returns 0


Posted: 02/20/2013 01:16:55
by Ken Ivanov (Team)


Note that there are two copies of all system certificate stores (e.g. MY) available under a particular user account - a 'current user' (individual for every particular user) and a 'local machine' ones (shared between users, subject to access rights). TElWinCertStorage allows to specify which copy to browse with the AccessType property, which should be assigned prior to adding store names to the SystemStores list. The default value of this property is TSBStorageAccessType.atCurrentUser that corresponds to the 'current user' copy.

As IIS runs under a different system account, its 'current user' copy differs from that what you see when running the code under your account. This way you should add the needed certificates either to IIS account's 'current user' copy of the store, or to the 'local machine' copy so that they could be accessible by any user account on the machine. The easiest way to do this is to use MMC. Please note that the account under which IIS runs may be subject to certain access restrictions, so using its 'current user' copy of the store might be the only workable option.
Posted: 02/20/2013 01:46:37
by Nime Cloud (Basic support level)
Joined: 02/12/2013
Posts: 20

I'm using smart card, I cannot copy the certificate. How can I share it with IIS?
Posted: 02/20/2013 01:51:56
by Ken Ivanov (Team)

First of all please try to set AccessType to TSBStorageAccessType.atLocalMachine and check if the certificate is visible in this case.
Posted: 02/20/2013 02:09:43
by Nime Cloud (Basic support level)
Joined: 02/12/2013
Posts: 20

No, only 1 certificate listed and it's not the smartcard. How can I choose a specific user?
Posted: 02/20/2013 02:47:32
by Ken Ivanov (Team)

It's not possible to 'choose' a user - the process should run under a different user account to be able to access the relevant store. You can play with impersonation (LogonUser API call), but this is not the best option to be honest, due to potential side effects with access rights and the need to p/invoke.

Please try to set the ReadOnly property to true and repeat the checks. Please try the following access types (with ReadOnly set to true):


If none of the above works, it could help to have a look at the token configuration tool. It might allow to specify which users have access to the private key and let the IIS account use the key.
Posted: 02/20/2013 03:14:22
by Nime Cloud (Basic support level)
Joined: 02/12/2013
Posts: 20

It failed at atServices and atUsers. Others return no certificate. Better I'll make a console utility and call it as user from aspx page to use certificates and sign PDF files.
Posted: 02/20/2013 03:24:38
by Eugene Mayevski (Team)

Unless you have specific reasons to keep the certificate in atCurrentUser store, your better option is to import them to atLocalMachine\My store, then you would have no problems with accessing it later. You can import in code or using Microsoft Management Console (Certificates snap-in).

Sincerely yours
Eugene Mayevski
Posted: 02/20/2013 03:35:51
by Ken Ivanov (Team)

Yes, it is an option, but please note that the console application should be launched from under the account under which the certificate is accessible (so you would need some level of impersonation anyway).
Posted: 02/20/2013 03:36:35
by Nime Cloud (Basic support level)
Joined: 02/12/2013
Posts: 20

I use smartcard and I cannot import the certificate (private key).

To impersonate; this page helps:



Topic viewed 6221 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!